This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker.
commit 75bc19eea6433110733d53e4de23ab2703b19179 Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> Date: Mon Feb 12 15:53:33 2018 +0100 x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234). --- debian/changelog | 2 ++ x2gobroker/brokers/base_broker.py | 48 ++++++++++++++++----------------------- 2 files changed, 21 insertions(+), 29 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2d7940e..116897b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,8 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium - x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3. - Unit tests: Fix deep misunderstanding in the way allow-deny vs. deny-allow should actually work. + - x2gobroker/brokers/base_broker.py: Entire rewrite of + check_profile_acls() method. (Fixes: #1234). * debian/{control,compat}: Bump to DH version level 9. * debian/{control,x2gobroker-common.install}: + Split out common files into non-Pythonian bin:pkg. diff --git a/x2gobroker/brokers/base_broker.py b/x2gobroker/brokers/base_broker.py index b6a6ee6..9a96fb5 100644 --- a/x2gobroker/brokers/base_broker.py +++ b/x2gobroker/brokers/base_broker.py @@ -363,19 +363,14 @@ class X2GoBroker(object): # if one stays False, the related session profile will not be returned to the querying # X2Go client... _grant_availability = { - 'by_user': False, - # FIXME: leaving the group access to False for now, we need methods that give us a generic - # acces to the list of groups a user belongs to. One generic access is asking libnss, but: - # are there others? - 'by_group': False, - # FIXME: set the client access to True for now as we have not a way to check that available... - 'by_client': True, + 'by_user': None, + 'by_group': None, + 'by_client': None, } ### CHECKING on a per-client basis... ### clients access is granted first, if that fails then we return False here... - if len( _acls['acl-clients-allow'] + _acls['acl-clients-deny'] ) > 0: _acls_clients_allow = copy.deepcopy(_acls['acl-clients-allow']) @@ -394,7 +389,7 @@ class X2GoBroker(object): _acls_clients_deny.insert(idx, '::/0') _allow_address_set = [] - _deny_address_set = ['ALL'] + _deny_address_set = [] try: _allow_address_set = netaddr.IPSet(_acls_clients_allow) _deny_address_set = netaddr.IPSet(_acls_clients_deny) @@ -406,15 +401,14 @@ class X2GoBroker(object): _allow_client = self._client_address in _allow_address_set _deny_client = self._client_address in _deny_address_set - if not (_allow_client or _deny_client): - # client was not in either of the rules, so we presume that the client is allowed to access - _grant_availability['by_client'] if _order['clients'] == 'allow-deny': - _grant_availability['by_client'] = _allow_client and (not _deny_client) + if _allow_client: _grant_availability['by_client'] = True + elif _deny_client : _grant_availability['by_client'] = False else: - _grant_availability['by_client'] = (not _deny_client) or _allow_client + if _deny_client : _grant_availability['by_client'] = False + elif _allow_client: _grant_availability['by_client'] = True - if not _grant_availability['by_client']: + if _grant_availability['by_client'] is not True: return False ### no user/group ACLs are in use, allow access then... @@ -424,26 +418,23 @@ class X2GoBroker(object): ### CHECKING on a per-user basis... - _allow_user_override = False - _explicitly_deny_user = False if len( _acls['acl-users-allow'] + _acls['acl-users-deny'] ) > 0: _allow_user = False _deny_user = False if username in _acls['acl-users-allow'] or 'ALL' in _acls['acl-users-allow']: - _allow_user_override = True _allow_user = True - if username in _acls['acl-users-deny']: - _explicitly_deny_user = True - if _explicitly_deny_user or ('ALL' in _acls['acl-users-deny']): + if username in _acls['acl-users-deny'] or 'ALL' in _acls['acl-users-deny']: _deny_user = True if _order['users'] == 'allow-deny': - _grant_availability['by_user'] = (_allow_user or _deny_user) and (_allow_user and (not _deny_user)) + if _allow_user: _grant_availability['by_user'] = True + elif _deny_user : _grant_availability['by_user'] = False else: - _grant_availability['by_user'] = (_allow_user or _deny_user) and ((not _deny_user) or _allow_user) + if _deny_user : _grant_availability['by_user'] = False + elif _allow_user: _grant_availability['by_user'] = True # if a user has been granted access directly, then the corresponding session profile(s) # will be provided to him/her, it does not matter what the group acl will have to say to this... @@ -462,14 +453,13 @@ class X2GoBroker(object): _deny_group = bool(len(set(_user_groups).intersection( set(_acls['acl-groups-deny']) ))) if _order['groups'] == 'allow-deny': - _grant_availability['by_group'] = (_allow_group or _deny_group) and (_allow_group and (not _deny_group)) + if _allow_group: _grant_availability['by_group'] = True + elif _deny_group : _grant_availability['by_group'] = False else: - _grant_availability['by_group'] = (_allow_group or _deny_group) and (not _deny_group) or _allow_group + if _deny_group : _grant_availability['by_group'] = False + elif _allow_group: _grant_availability['by_group'] = True - # if a group has been granted access, with one exception: if the thread model for users is - # allow-deny, then we presume that the acl-users-deny entry has precendence over - # acl-groups-allow/acl-groups-deny. - if (_grant_availability['by_group'] and not _explicitly_deny_user) or _allow_user_override: + if _grant_availability['by_group'] and _grant_availability['by_user'] is not False: return True return False -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git _______________________________________________ x2go-commits mailing list x2go-commits@lists.x2go.org https://lists.x2go.org/listinfo/x2go-commits